7f23482fca010b12c71738bb7bb7c573f69b252d090576d3b49c5334c23d5d2b

Analysis

max time kernel
115s
max time network
132s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2023, 21:57

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3e9dbddb9384484dac43a4daf031d57e.exe
Size

1.6MB
MD5

3e9dbddb9384484dac43a4daf031d57e
SHA1

f5e715aacbc5750dda3a580a387ce61cdc0f221a
SHA256

7f23482fca010b12c71738bb7bb7c573f69b252d090576d3b49c5334c23d5d2b
SHA512

131c0d7a572eb37da8391f3b827d5f37fa92299e1c3a260f4b785c58b4e3af4c4bdbacfa980ddc0ec0c16dbf0200e559bdee85268427981596dc9a88c3c30384
SSDEEP

1536:uqyaAYwIMKIp/8PIKaNQvL58HxqpBP0+fPWNnjZwsKL46YtSLORex+o2aON2CqKl:uDBGsFeOK+0JIGHHFDA9b

Score

10^/10

evasion spyware stealer upx

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 4 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	3e9dbddb9384484dac43a4daf031d57e.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	3e9dbddb9384484dac43a4daf031d57e.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	3e9dbddb9384484dac43a4daf031d57e.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\3e9dbddb9384484dac43a4daf031d57e.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3e9dbddb9384484dac43a4daf031d57e.exe:*:Enabled:ldrsoft"	3e9dbddb9384484dac43a4daf031d57e.exe

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3e9dbddb9384484dac43a4daf031d57e.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1116-0-0x0000000000400000-0x0000000000594000-memory.dmp	upx
behavioral2/memory/1116-1-0x0000000000400000-0x0000000000594000-memory.dmp	upx
behavioral2/memory/1116-2-0x0000000000400000-0x0000000000594000-memory.dmp	upx
behavioral2/memory/1116-4-0x0000000000400000-0x0000000000594000-memory.dmp	upx
behavioral2/memory/1116-5-0x0000000000400000-0x0000000000594000-memory.dmp	upx
behavioral2/memory/1116-8-0x0000000000400000-0x0000000000594000-memory.dmp	upx
behavioral2/memory/1116-10-0x0000000000400000-0x0000000000594000-memory.dmp	upx
behavioral2/memory/1116-12-0x0000000000400000-0x0000000000594000-memory.dmp	upx
behavioral2/memory/1116-14-0x0000000000400000-0x0000000000594000-memory.dmp	upx
behavioral2/memory/1116-17-0x0000000000400000-0x0000000000594000-memory.dmp	upx

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1116 wrote to memory of 3012	1116	3e9dbddb9384484dac43a4daf031d57e.exe	107
PID 1116 wrote to memory of 3012	1116	3e9dbddb9384484dac43a4daf031d57e.exe	107
PID 1116 wrote to memory of 3012	1116	3e9dbddb9384484dac43a4daf031d57e.exe	107

C:\Users\Admin\AppData\Local\Temp\3e9dbddb9384484dac43a4daf031d57e.exe
"C:\Users\Admin\AppData\Local\Temp\3e9dbddb9384484dac43a4daf031d57e.exe"
1⤵
- Modifies firewall policy service
- Checks BIOS information in registry
- Suspicious use of WriteProcessMemory
PID:1116
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\3E9DBD~1.EXE00.bat
  2⤵
  PID:3012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3E9DBD~1.EXE00.bat

Filesize
192B

MD5
a0de4da10896b78b50656bffb13fa068

SHA1
86335c90e14f2874c358274a1286af5f2ec7b84c

SHA256
14574d9f642f600f64f17aa76d21c80d0a6782874e9d360eef0aa9fd39deab3f

SHA512
05a0da7260e19fc53321a5279448a488cfb88e7c2c549c0d0e271ac723dd630d13c36d165abbc5af2226cd13a9efbf237780bf1080818479f520d77106c7ce2c

Download Submit
memory/1116-0-0x0000000000400000-0x0000000000594000-memory.dmp

Filesize
1.6MB

Download
memory/1116-1-0x0000000000400000-0x0000000000594000-memory.dmp

Filesize
1.6MB

Download
memory/1116-2-0x0000000000400000-0x0000000000594000-memory.dmp

Filesize
1.6MB

Download
memory/1116-4-0x0000000000400000-0x0000000000594000-memory.dmp

Filesize
1.6MB

Download
memory/1116-5-0x0000000000400000-0x0000000000594000-memory.dmp

Filesize
1.6MB

Download
memory/1116-8-0x0000000000400000-0x0000000000594000-memory.dmp

Filesize
1.6MB

Download
memory/1116-10-0x0000000000400000-0x0000000000594000-memory.dmp

Filesize
1.6MB

Download
memory/1116-12-0x0000000000400000-0x0000000000594000-memory.dmp

Filesize
1.6MB

Download
memory/1116-14-0x0000000000400000-0x0000000000594000-memory.dmp

Filesize
1.6MB

Download
memory/1116-17-0x0000000000400000-0x0000000000594000-memory.dmp

Filesize
1.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads